Security vendors slow to respond to new evasion techniques

By William Jackson

Aug 04, 2011

LAS VEGAS — Ten months after Stonesoft Corp. announced the first batch of sophisticated techniques to help malware avoid standard detection methods, few security vendors are responding to what are called advanced evasion techniques.

Mark Boltz, senior solutions architect for the Finnish security company, called the response — or lack of it — disconcerting.

"The typical reaction is that evasion is old news, it’s been around for years," Boltz said. "Yes, it is old news. But it also is a big deal. Why aren’t we fixing it?"

AETs are combinations of simple and often well-known evasion techniques that can be used by malicious exploits to evade standard security tools, such as intrusion detection and prevention systems, that might detect a stand-alone trick. Stonesoft reported the first batch of 23 combinations to the Finnish Computer Emergency Response Team in October 2010 and in February of this year announced another batch of 124 AETs. Boltz called this the "tip of the iceberg" because of the number of possible combinations.

Stonesoft is beating the drum for AET testing this week at the Black Hat Briefings. The company has redesigned its Predator internal testing tool and is offering it as a service to randomly generate variations of evasion techniques to test security tools’ ability to recognize them. NSS Labs and ICSA Labs are using it in their product testing, he said.

Evasion techniques manipulate TCP/IP protocols that underlie the Internet and other IP networks, using tricks such as packet fragmentation and TCP segmentation. Breaking up an exploit and putting it into packet fragments, for instance, can confuse intrusion prevention systems. But the packets will be reassembled by the host device being attacked.

The company began researching this subject in 2009 to see how well its own products responded to these tricks and found that some combinations were able to slip through undetected. It went on to identify specific AETs for which its tools and those of other companies were vulnerable.

All the research Stonesoft has done to date has been on IPv4 traffic, Boltz said. "We haven’t even looked at what is possible with IPv6," the new generation of Internet Protocols that is gradually being adopted in the Internet.

So far only six of about 60 vendors have responded by updating their tools to the first release of 23 AETs, Boltz said. There have been no responses so far to the second release.

Given the large number of possible AETs, there is no single solution to the threat they pose, and signature-based solutions will not be effective against them. Boltz said.

"The point isn’t to look for specific things," he said. "The point is that signatures don’t work."

Detection engines need to be redesigned to normalize network traffic so that the new configurations of techniques can be spotted. When this was first suggested in 2001, performance and latency were barriers, Boltz said. But with new processors, memory and 64-bit operating systems, "you can do that."

Attacks using AETs have not yet been identified in the wild, but that does not mean they are not there, he said. "That is something we can’t measure, per se. The evasions are undetectable." There are a growing number of successful breaches that have not yet been attributed to known attacks, however, he added. "Maybe AETs are part of the reason."

Research on AETs is continuing, and the first batch of 23 reported in October 2010 now is public. "The clock is ticking," Boltz said. "We need to get moving on it."